Italian authorities for data protection

1. Preliminary considerations.

Cookies are small text strings that the sites visited by the user to send its terminal (usually the browser), where they are stored before being transmitted back to the same sites at the next visit to the same user. During the navigation of a site, the user can receive on his terminal even cookies that are sent from different web sites or servers (the “Third Party”), on which they may reside some elements (such as, for example, images, maps, sounds, specific links to pages on other domains) on the same site that are visiting.

Cookies, usually present in browsers of users in very large numbers and sometimes even large temporal persistence characteristics, are used for different purposes: running computer authentication, tracking sessions, storing information about specific configurations regarding the users who access server, etc.

In order to achieve proper regulation of these devices, it is necessary to distinguish job you do not have the technical characteristics that differentiate them from each other precisely on the basis of the objectives pursued by those who use them. In this direction has moved, however, the legislature itself, which, in implementation of the provisions of Directive 2009/136 / EC, has brought the obligation to obtain the prior and informed consent of users to install cookies used for purposes other than purely technical (cfr. art. 1, paragraph 5, letter. a) of the d. lgs. May 28, 2012, n. 69, which amended Article. 122 of the Code).

In this regard, and for the purposes of this provision, therefore identify two main categories: “technical” cookie and cookie “profiling”.

to. Technical cookies.

Technical cookies are those used for the sole purpose of “carrying out the transmission of a communication over an electronic communications network, or as strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide this service “(cfr. art. 122, paragraph 1, of the Code).

They are not used for other purposes and are normally installed by the owner or operator of the website. Can be divided into the navigation cookie or session, which guarantee the normal navigation and use of the website (allowing, for example, to make a purchase or authenticate to access restricted areas); analytics cookies, similar to the technical cookies when used directly by the site operator to collect information, in aggregate form, the number of users and how they visit the site; functionality of cookies, that allow a user browsing the function of a set of selected criteria (for example, the language, the products selected for purchase) in order to improve the service rendered to the same.

For the installation of these cookies you are not required the prior approval of the users, while it remains subject to the obligation to provide the information pursuant to art. 13 of the Code, the operator of the site, if you use only such devices, may provide in the manner it deems most appropriate.

b. profiling cookies.

The profiling cookies are designed to create profiles on the user and are used in order to send advertising messages in line with the preferences expressed by the same part of surfing the net. Given the considerable invasiveness that such devices may have within the private sphere of the users, the European and Italian legislation requires the user to be properly informed on the use of the same and express their valid consent.

Article refers to them. 122 of the Code when it provides that “the storage of information in the terminal equipment of a contractor or a user or access to information already stored, are only allowed on condition that the contractor or the user has given his consent after being It was informed by the simplified procedures provided for in Article 13, paragraph 3 “(art. 122, paragraph 1, of the Code).

2. Parties involved: publishers and “third party”.

Another item to consider, for the correct definition of the matter under consideration, is subjective. Necessary, ie, take into account the different subject that installs cookies on the user’s terminal, depending on whether it is the same site manager that the user is visiting (which can be briefly listed as “publisher”) or site other than that installs cookies through the first (so-called “third parties”).

Based on the findings of the public consultation, it is considered necessary that this distinction between the two aforementioned individuals is taken into due account in order to correctly identify their roles and their responsibilities, with reference to the information release and all ‘ acquisition of consent of online users.

There are many reasons why it is not possible to put the editor in chief is obliged to provide information and to obtain the consent to the installation of the cookie as part of its well site to those set up by “third parties.”
First, the publisher should always have the tools and the economic and legal capacity to assume the obligations of third parties and should therefore also be able to check from time to time the correspondence between what is declared by the third parties and the purposes they really pursued through the use of cookies. This is made very difficult by the fact that the publisher often does not know directly all third-party cookies that install through its website and, therefore, even the logic underlying the relative treatments. Moreover, not infrequently between the publisher and third parties stand in the way actors who play the role of dealers, resulting in fact very complex for the editor control activity of all involved.

Cookies third parties may then be modified over time by third party suppliers and would be impractical to ask publishers to also keep track of these amended.

It should also be borne in mind that often the publishers, which include individuals and small businesses, are the “weakest part” of the relationship. Instead, when third parties are usually large companies with a significant economic weight, normally serve a plurality of publishers and can be compared to the individual publisher, also very numerous.

It is therefore considered that, also because of the reasons mentioned above, we can not force the publisher to enter the home page of its website also the text of the information about installed cookies through the latter by third parties. This will also lead to a general lack of clarity of the information from the publisher, making the reading of the document and therefore the understanding of the information in the same time very tiring for the user contained in it, thereby thwarting even the desire for simplification provided for by ‘art. 122 of the Code.

Similarly, as regards the acquisition of consent for profiling cookie, cut need for the above reasons distinguishing between the respective positions of publishers and third parties, it is believed that publishers, with which users establish a direct relationship with the ‘access to its website, necessarily assume a dual role.

These subjects, in fact, on the one hand are data controllers as to the installed cookies directly from your site; on the other, could not discerned a co-ownership with third parties for cookies that install themselves through them, was deemed correct to consider them as a kind of technical intermediaries between them and the users. And they are, therefore, in that capacity, as will be seen below, are called to work in the present resolution, with reference to the disclosure issue and acquisition of consent of online users with regard to the third-party cookies.

3. Impact of the rules on cookies on the network.

Cookies have several important functions in the network. Any decision on the modalities of disclosure and consent online, covering virtually anyone with an Internet site, will have a tremendous impact on a huge number of subjects, which are also, as has been said, the nature and profoundly different characteristics.

The Guarantor is aware of the scope of this Decision, therefore feels that the measures prescribed in the same pursuant to the provisions of art. 122, paragraph 1, of the Code are, firstly, that allow users to express choices really aware installation of cookies by manifestation of an express and specific consent (according to art. 23 of the Code) and, on the other hand, present the least possible impact in terms of interruption of the navigation of such users and use, on their part, IT services.

These conflicting requirements, emerged clearly during the public consultation and the meetings held by the Authority, are taken into account in the first place in determining the manner in which to provide notice in a simplified form.

It is also the belief of the Guarantor that the two issues, disclosure and consent, go necessarily jointly treated in order to prevent the use of expression of consent online mode requiring excessively complex operations by users jeopardize the simplification made in ‘disclosures.

4. The information with simplified modalities and the acquisition of the online consent.

For the purpose of simplifying the information, it is believed that an effective solution, which is subject to the requirements of Article. 13 of the code (including the description of individual cookies), is to set the same on two successive depth levels.

At a time when the user accesses a website, must be submitted to him an initial information “short”, contained in an immediate appearance banner on the home page (or other page through which the user can access the site), integrated from disclosure “extended”, which is accessed through a user-clickable link.

In order for simplification to take effect, it is considered necessary that the request for consent to the use of cookies is inserted right in the banner containing the brief statement. Users wishing to get more and more detailed information and differentiate their own choices about the different cookie stored by the visited site, can access other pages of the site, containing, in addition to the information text extended, the possibility to express more choices specifications.

4.1. The banner contains information short and consent solicitation.

More precisely, when you access the home page (or any other page) of a website, you must immediately appear in the foreground an appropriately-sized banner that is large enough to constitute a noticeable discontinuity through the contents of the web page you are visiting with the following information:

a) that the site uses cookies profiling in order to send advertising messages in line with the preferences expressed by the user as part of surfing the net;

b) that the site also allows the sending of cookies “third party” (where this to happen of course);

c) the link to the information extended, as provides guidance on the use of technical and analytics cookies, you are given the opportunity to choose which specific cookies to authorize;

d) an indication that the extensive disclosure page you can deny you to allow installation of any cookies;

e) an indication that the continuation of navigation through access to another area of the site or selecting an item of the same (for example, an image or a link) involves the provision of consent to the use of cookies.

The aforementioned banner, in addition to having to present sufficient size to accommodate the disclosure, albeit brief, must be an integral part of positive action in which substantiates the manifestation of consent. In other words, it must determine a discontinuity, albeit minimal, of the navigation experience: overcoming the banner to the video presence must be possible only by means of a user’s active intervention (precisely through the selection of an element in the page below the banner itself).

It remains of course still possible for publishers to use different ways from that described for the acquisition of the online consent to the use of user cookies, provided that such methods ensure compliance with the provisions of art. 23, paragraph 3, of the Code.

In accordance with the general principles, it is necessary in any case that of services provided and the user’s consent is tracked by the editor, who may for this purpose use a suitable technical cookies, system that does not seem particularly invasive (to that effect, see also recital 25 of the Directive 2002/58 / EC).

The presence of the then “documentation” of the user’s choices allows the publisher to not repeat the brief information on the second visit of the same user on the same site, without of course prejudice the possibility for the user to refuse consent and / or change, at any time and in an easy manner, their options regarding the use of cookies by the site, for example through access to the information extended, to be linkable from every page of the site.

4.2. The expanded disclosure.

The expanded disclosure must contain all the particulars required by art. 13 of the Code, describing in a specific, analytical features and purposes of cookies installed by the site and allow the user to select / deselect individual cookies. It must be accessible through a link included in the informative brief, as well as through a reference on each page of the site, located at the bottom of it.

Within this disclosure, it must also be added the current link to information and to the third party consent forms with which the publisher has signed agreements for the installation of cookies through its website. If the publisher has indirect contact with third parties, it will link the sites of the entities that act as intermediaries between him and the same third party. It will not rule out the possibility that such links with third parties are collected within a single web site operated by someone other than the publisher, as in the case of dealers.

In order to keep separate the responsibility of publishers from that of the third party in relation to the information made and acquired permission for cookies from the latter through its website, it is considered necessary that the publishers themselves acquire, already under contract, the abovementioned link by third parties (with this also understood the same dealers).

In the same space expanded disclosure must be called the opportunity for the user (which is referred to also art. 122, paragraph 2, of the Code) to express their preferences regarding the use of cookies by the site including through the browser settings, indicating at least the steps you need to configure these settings. If, then, the technology used by the site are compatible with the browser version you are using, the publisher will be able to establish a direct connection to the browser section dedicated to the same settings.

5. Notification of the treatment.

Please note that the use of cookies is one of those treatments to the notification to the Guarantor pursuant to art. 37, paragraph 1, lett. d) of the Code, where the latter is aimed to “define the profile or personality, or to analyze habits or consumption choices, or to monitor the use of electronic communications services with the exception of technically essential treatments to provide the same services to users. “

The use of cookies is, however, from the obligation to notify on the basis of the provisions of the decision of the Ombudsman of 31 March 2004, which expressly included among the treatments exempt from the aforementioned obligation, those “related to the use of markers electronic or similar devices installed or stored temporarily, and not persistent, in the terminal equipment of a user, consisting of the sole transmission of the session identifiers in accordance with the applicable regulations, the sole purpose of facilitating access to the contents of an Internet site “(resolution no. 1 of 31 March 2004, published in the Official Journal of 6 April 2004 n. 81).

Since the above scenario, it emerges therefore that while profiling cookies, which have characteristics of permanence in time, are subject to the notification, the cookies instead have different purposes that fall within the category of technical cookies, which are also assimilated the analytics cookies (v. point 1, lett. a) of this provision), they should not be notified to the Guarantor.

6. Time adjustment.

As already noted above, the Guarantor is aware of the impact, including economic, that the discipline on cookies will on the entire sector of the society of information services and, therefore, that the implementation of the measures necessary to implement the this measure will require a substantial commitment in terms of time.

For this reason, it is therefore considered appropriate to allow a transitional period of one year from the publication of this Decision in the Official Journal to allow stakeholders in this decision to avail itself of the simplified procedures identified therein.

7. Consequences of failure to comply with rules on cookies.

Please note that in the event of failure to give information or inappropriate, ie which does not have the items described, as well as in the provisions of art. 13 of the Code, in this provision, there is the administrative sanction for payment of a sum of six thousand to thirty-six thousand euro (art. 161 of the Code).

The installation of cookies on users’ terminals in the absence of the prior consent of projects involves, however, the payment of a fine of from ten thousand to twenty thousand euro (art. 162, paragraph 2-bis, of the Code).

The lack of or incomplete notification to the Guarantor, finally, under the provisions of art. 37, paragraph 1, lett. d) of the Code, it is punished by payment of a sum of twenty thousand to one hundred twenty thousand euro (art. 163 of the Code).


1. pursuant to art. 122, paragraph 1 and 154, paragraph 1, lett. h) of the Code -ai the detection of simplified procedures for the information that the website operators, as further specified in the introduction, are required to provide users with regard to cookies and other devices installed by or for the through its website it states that when you access the home page (or any other page) of a website, must immediately appear in the foreground an appropriately-sized banner containing the following information:

a) that the site uses cookies profiling in order to send advertising messages in line with the preferences expressed by the user as part of surfing the net;

b) that the site also allows the sending of cookies “third party” (where this to happen of course);

c) the link to the information extended, which must contain the following additional information regarding:

• use of technical and analytics cookies;

• option to choose which specific cookie to authorize;

• possibility for the user to express their preferences regarding the use of cookies by the site through your browser settings, indicating at least the steps you need to configure these settings;

d) an indication that the extensive disclosure page you can deny you to allow installation of any cookies;

e) an indication that the continuation of navigation through access to another area of the site or selecting an item of the same (for example, an image or a link) involves the provision of consent to the use of cookies;

2. pursuant to art. 154, paragraph 1, lett. c) of the Code for the purpose of maintaining the distinct responsibilities of the website operators, as further specified in the grounds, from that of the third party prescribes to the same operators to acquire already under contract connections (links) to web pages containing information and modules for the acquisition of consent related to the third-party cookies (with this also understood the dealers).

Is that a copy of this decision be forwarded to the Ministry of Justice for the purpose of publication in the Official Gazette of the Italian Republic edited by the Publishing Department in order.